Benefit News

Deadline for Updating HIPAA Business Associate Agreements is September 22, 2014

September 18, 2014

The Department of Health and Human Services issued a final rule on January 23, 2013 regarding HIPAA's privacy, security, enforcement and breach notification requirements that resulted in potential changes to business associate agreements (BAA) between covered entities (for example, a health plan) and their business associates.

The deadline for complying with these changes was September 23, 2013. However, the final HIPAA rule included an extended compliance deadline for BAAs that were entered into prior to January 25, 2013 (the date of the final HIPAA rule), and were not renewed or modified between March 26, 2013, and September 23, 2013, to remain compliant until the earlier of (1) September 23, 2014; or (2) the date the agreement was renewed or modified after September 23, 2013.

The transition rule extended the time for the paperwork only-it did not extend the time allowed for the covered entity and business associate to comply with the changes made by the final HIPAA rule.

Significant Changes For Business Associates in HIPAA Final Rule

Expanded Definition of "Business Associate"

The final HIPAA rule expanded the definition of "business associate" to include all entities that create, receive, maintain or transmit protected health information (PHI) on behalf of a covered entity, including subcontractors. Also, the final rule clarified that entities that store PHI, in hard copy or electronic format, are business associates even if they do not access, use or disclose that information.

A business associate that contracts with a subcontractor, and not the covered entity, is required to enter into a business associate agreement with the subcontractor. A covered entity must also obtain satisfactory assurances (through a BAA) from its business associates that they will appropriately safeguard PHI. Business associates must do the same with regard to their subcontractors and so on, no matter how far "downstream" the information flows.

New Compliance Obligations

The final rule also clarified the privacy and security provisions that directly apply to business associates, and noted that business associates are directly liable for failing to comply with these requirements. For example, business associates are directly responsible for complying with:

Burnham is a modern employee benefits and insurance services company. We apply a unique blend of expert knowledge, unmatched personal service and proactive planning to create proven strategic solutions and promote a culture of wellness for our clients.

Burnham is a certified B Corp, a designation reserved for companies who reflect not just the desire to be the best in the world, but the best for the world.